Setting up iRODS

PAM Authentication

Dan Bedard

Interim Executive Director

The iRODS Consortium

RENCI at the University of North Carolina

Major Steps

1) Set up SSL

2) Test PAM

3) Set up PAM Module

 

These instructions derived from

https://docs.irods.org/master/manual/authentication/#pam

Diagram

iRODS Server

PAM Plugin

PAM Module

iRODS Client

SSL

Diagram

iRODS Server

iRODS Client

SSL

SSL

iRODS Server

Summary

1) Generate an RSA Key

2) Obtain a Certificate

    a) For production, purchase a certificate from a CA

    b) For testing, generate a self-signed certificate

3) Create a chain file of server and CA certificates

4) Generate Diffie-Hellman parameters

5) Copy files where iRODS server can read them

6) Set iRODS server environment variables

7) Restart iRODS server

SSL

iRODS Server

$ openssl genrsa -out server.key

1) Generate an RSA Key:

This key will be used to encrypt your server certificate, whether it is issued by a CA or self-signed.

 

SSL

iRODS Server

$ openssl req -new -x509 -key server.key -out server.crt -days 365
You are about to be asked to enter information... [omitted]
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Utrecht
Locality Name (eg, city) []:Utrecht
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Utrecht University
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ec2-52-0-100-96.compute-1.amazonaws.com
Email Address []:info@irods.org

2b) Generate a self-signed certificate:

SSL

iRODS Server

$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information... [omitted]
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Utrecht
Locality Name (eg, city) []:Utrecht
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Utrecht University
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ec2-52-0-100-96.compute-1.amazonaws.com
Email Address []:info@irods.org

2a) Alternatively, if you are obtaining a certificate from a CA, generate a Certificate Signing Request (CSR)

SSL

iRODS Server

$ cat irods.crt DomainValidationCA.crt AddTrustCA.crt ExternalCARoot.crt >> chain.pem

3) Create a chain file. This is a concatenation of the iRODS server certificate and certificates of the chain of CAs leading to the root CA.

 

This is effectively done for self-signed certs. For consistency, just rename server.crt.

$ mv server.crt chain.pem

For CA-derived certificates, you will type something like...

SSL

iRODS Server

$ openssl dhparam -2 -out dhparams.pem 2048

4) Generate Diffie-Hellman parameters. These are random seed parameters used to generate session keys.

See Wikipedia article on DH

SSL

iRODS Server

$ sudo mkdir /etc/irods/ssl
$ sudo cp {server.key,chain.pem,dhparams.pem} /etc/irods/ssl
$ sudo chown -R irods:irods /etc/irods/ssl

5) Copy the files where iRODS can read them.

SSL

iRODS Server

$ sudo nano ~irods/.irods/irods_environment.json

6) Update the iRODS server environment.

"irods_ssl_certificate_chain_file": "/etc/irods/ssl/chain.pem",
"irods_ssl_certificate_key_file": "/etc/irods/ssl/server.key",
"irods_ssl_dh_params_file": "/etc/irods/ssl/dhparams.pem"

SSL

iRODS Server

$ sudo service irods restart

7) Restart the iRODS server.

NOT SO FAST!

SSL

iRODS Client

If you're using a self-signed certificate (or a lesser-known CA), the iRODS client won't trust the server's certificate.

 

We need to tell the client to explicitly trust this certificate by...

1) Copying the CA's certificate to a place the client can read it.

2) Updating the client environment to tell iRODS to trust the certificate.

SSL

iRODS Client

$ scp chain.pem <client user>@<client host>:/home/<client user>/.irods

1) Copy the CA's certificate to a place the client can read it.

SSL

iRODS Client

$ nano ~/.irods/irods_environment.json

2) Update the client environment. From the client:

"irods_ssl_ca_certificate_file": "/home/<client user>/.irods/chain.pem"

Diagram

iRODS Server

PAM Plugin

iRODS Client

SSL

PAM Plugin

We are going to test the SSL connection between the client and the server. To do this, we will set up an overly permissive PAM configuration using the pam_permit.so module.

 

Summary of instructions

1) On the server, set up the iRODS PAM plugin to use pam_permit.so

 

2) Edit the client environment to use PAM authentication

 

3) iinit from the client to test

PAM Plugin

iRODS Server

$ sudo su - root -c 'echo "auth sufficient pam_permit.so" > /etc/pam.d/irods'

1) Set up the iRODS PAM plugin to use pam_permit.so

$ /var/lib/irods/iRODS/server/bin/PamAuthCheck nobody

Authenticated

You can test the PAM configuration using PamAuthCheck

PAM Plugin

iRODS Client

$ nano ~/.irods/irods_environment.json

2) Edit the client iRODS environment

{
    "irods_host": "<server hostname>",
    "irods_port": 1247,
    "irods_user_name": "admin",
    "irods_zone_name": "<server zonename>",
    "irods_ssl_ca_certificate_file": "/home/admin/.irods/chain.pem",
    "irods_authentication_scheme": "PAM"
}

Change the authentication scheme to PAM

PAM Plugin

iRODS Client

$ irods_log_level=LOG_NOTICE iinit
Enter your current PAM password:

3) iinit with an elevated log level

Any username and password should be successful.

 

Now let's fix that...

Diagram

iRODS Server

PAM Plugin

PAM Module

iRODS Client

SSL

PAM Module

The authentication mechanism is determined by entries in /etc/pam.d/irods

The pam.conf man page explains the syntax of the PAM configuration file in detail.

iRODS Server

The file is made up of a list of rules... The format of each rule is a pace-separated collection of tokens:

service type control module-path module-arguments

Note that in practice, the "service" field is absent, represented by the filename of each entry in /etc/pam.d.

The iRODS PAM service is called "irods"

(i.e., the appropriate filename is /etc/pam.d/irods)

PAM Module Example: using pam_unix.so

iRODS Server

 auth sufficient pam_unix.so

PAM Module Example: using pam_google_authenticator.so

iRODS Server

 auth [success=3 new_authtok_reqd=ok default=ignore] pam_policycache.so action=check
 auth [success=ok default=1] pam_google_authenticator.so forward_pass
 auth [success=1 default=ignore] pam_unix.so use_first_pass
 auth requisite pam_deny.so
 auth [default=ignore] pam_policycache.so action=update
 auth required pam_permit.so

PAM Module Example: pam_ldap.so

iRODS Server

 auth sufficient pam_ldap.so

Questions?

Thank you!

 

Dan Bedard

danb@renci.org

+1-919-445-0632